California has pushed through an online privacy law that is sending some shockwaves through the Internet economy. On Thursday, June 29, the legislature passed the California Consumer Privacy Act of 2018 (“CCPA”), which the Governor signed swiftly. Beginning January 1, 2020, many companies that do business in California will need to make significant changes and provide consumers, including minors, significantly more control of their personal information.
While the CCPA is in many ways a game-changer in the U.S., it is fair to anticipate that it will evolve some before the implementation date. Companies with concerns should consider how to participate in the legislative process, as California will likely amend the statute and now is the time to think through where clarifications or changes may be needed. It is also possible that there will now be a stronger push for federal legislation. Otherwise, we may see piece-meal, perhaps conflicting, state by state regulation for which it will be burdensome and potentially impossible for businesses to comply.
At its core, the CCPA gives residents of California the right to know what personal information a business is collecting, the right to access that information and request deletion (with certain important exceptions), the right to know whether their information is sold, shared or disclosed (and to generally to whom), the right to opt-out of the sale of their personal information (or the right to opt-in for users younger than age 16), and the right to receive the same service at the same price, even if they exercise their privacy rights, although certain financial incentives are acceptable. CCPA also provides a private right of action in the event of a breach or unauthorized access to personal information.
Here are some key-takeaways to start considering:
Will the regulation apply to my business?
Quite possibly. The CCPA will apply to more than just technology companies or data brokers – it applies to all companies doing business in California with annual gross revenues of more than 25 million dollars, as well as companies that share or receive for business purposes the personal information of 50,000 or more individuals (or households or devices) – a definition likely to ensnare many U.S. businesses.
How broad is the CCPA in its reach?
Very. First, it covers all California residents – not just consumers or customers (which is different than some of the existing CA privacy statutes). Second, the definition of personal information is extremely broad, and includes information that could be reasonably linked, even indirectly, with a particular person or household. It specifically encompasses IP address and other persistent identifiers, as well as biometric information (broadly defined) and Geolocation data (not defined). Accordingly, many companies that do not think of themselves as having “personal information” may discover that they do, at least as defined by the CCPA.
Is this just like the EU’s General Data Protection Regulation (GDPR)?
Yes and no. Many of the rights provided to consumers are similar – including the right to access and request deletion of data. But there are key differences. Even companies that extended GDPR consumer rights to U.S. residents will have new provisions to deal with and even similar provisions have different definitions and nuances. Certainly companies who are well equipped to deal with GDPR are ahead of the game, but there is work ahead for everyone.
Does CCPA apply if I do not sell personal information?
Yes – much of the CCPA applies more broadly as noted above and the disclosure requirements apply equally whether the business “sells” the information or discloses it for a business purpose – which is defined as operational purposes and includes service providers. More importantly, the definition of “sell” goes well beyond what it typically means to “sell” data. Here, it means essentially any sharing or providing of personal information to another business or other third party “for monetary or other valuable consideration.” Accordingly, the additional requirements for those who “sell” personal information are likely to apply in a number of online marketing scenarios where consumer data is the currency even where there is no direct monetary payment for that data. In addition, given the broad definition of personal information, much of the online advertising ecosystem is likely to be caught up in this law even where traditionally the parties have considered themselves to be using non-personal information.
What are some key red flags?
The impact of CCPA and where there may be significant open questions for implementation and compliance will vary widely depending on the business. However, there are some key provisions that may cause significant issues:
- Businesses must provide information upon a “verifiable consumer request.” We can anticipate some significant debate as to what is acceptable and sufficient here, as well as potentially some action if a business gets it wrong.
- Many organizations will need significant changes to internal infrastructure and processes in order to provide the level of detail required. A consumer’s information may be shared in many contexts, across partnerships, by several divisions and with numerous 3rd parties. Even disclosing all information collected could be difficult where it is dispersed across an organization.
- Opting out of the selling of personal information likely equates to the right to opt-out of sharing for online advertising purposes (essentially making the current self-regulatory program law and requiring it of all parties who share the data for valuable consideration). Given the current definition of “personal information” and the current definition of “sell,” consumers would appear to have this fundamental right under the current language of the CCPA.
- The issue of what is an acceptable financial incentive versus banned “charging different prices” is destined to be debated intensely. To add to the confusion, even if one determines it is using only a “financial incentive program,” one must also make sure it is not “unjust, unreasonable, coercive or usurious in nature.” Ready, set, discuss . . . .
- While de-identifed information is essentially outside the scope, information that is today thought of as de-identifed may be personal information for purposes of CCPA. For example, hashed email addresses (often defined specifically as de-identified data in privacy policies and used in place of personal information for multi-party marketing transactions), may not qualify here. CCPA defines de-identified personal information as “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.” Remember that a consumer is a person who is a CA resident, however identified, including by an unique identifier, and personal information means information that can be associated with consumer or household.
- At what point is location data “geolocation data” and therefore personal information? The term is undefined within CCPA and will certainly garner varying opinions.
- Persons 13-15 and websites that may “willfully disregard a consumer’s age.” CCPA provides an opt-in right for users 13-15 (or opt-in by a parent for children younger than age 13) before a business sells the personal information of that consumer. This applies where the business has actual knowledge that the consumer is younger than age 16 unless the business “willfully disregards the consumer’s age” – in which case actual knowledge is imputed. This may be a significant issue for websites, apps and other businesses that have a significant teen audience. What affirmative steps, if any, are required to ensure the business is not willfully disregarding age?
Will I need to include “Do Not Sell My Personal Information” on my website?
This link is required for those who fall within the definition of a business that “sells” personal information – which remember includes sharing for “valuable consideration.”
What are the penalties?
Note that a business is not in violation of CCPA unless it fails to cure a violation within 30 days after being notified of noncompliance. The California Attorney General may impose penalties for violations (a maximum of $7,500 per violation for intentional violations). In the event of a breach, any consumer may bring a civil action to recover damages ($100-$750 per consumer per incident or actual damages, whichever is greater) and to obtain injunctive or declaratory relief (which may be more significant depending on what is enjoined).
Should I panic now?
Not yet. But it is essential to consider carefully how CCPA may impact your business to consider whether to engage directly with the legislative process to work toward a clearer and in some cases more reasonable regulation. It may make sense to see how certain provisions evolve and any additional guidance provided by the Attorney General. However, like GDPR, this law will take significant compliance and most companies will need to start diving in relatively soon.